I'm a privacy pragmatist, writing about the intersection of law, technology, social media and our personal information. If you have story ideas or tips, e-mail me at khill@forbes.com. PGP key here.
These days, I'm a senior online editor at Forbes. I was previously an editor at Above the Law, a legal blog, relying on the legal knowledge gained from two years working for corporate law firm Covington & Burling -- a Cliff's Notes version of law school.
In the past, I've been found slaving away as an intern in midtown Manhattan at The Week Magazine, in Hong Kong at the International Herald Tribune, and in D.C. at the Washington Examiner. I also spent a few years traveling the world managing educational programs for international journalists for the National Press Foundation.
I have few illusions about privacy -- feel free to follow me on Twitter: kashhill, subscribe to me on Facebook, Circle me on Google+, or use Google Maps to figure out where the Forbes San Francisco bureau is, and come a-knockin'.

What It's Like Running A Shared Wi-Fi Network For A Bunch Of Hackers

This week, people who care about security — and specialize in compromising it — are gathered in the adult theme park that is Las Vegas for back-to-back hacker conferences, Black Hat and Defcon. Security researchers show off their best parlor tricks, demonstrating ways they’ve hacked cars, security systems, thermostats, credit card readers, and the hackers themselves, as two researchers talked about how they helped law enforcement take down Cryptolocker — the infamous ransomware that encrypted an infectee’s files and would only release the digital hostages if a Bitcoin ransom were paid. Tickets to the more corporate work-week conference Black Hat are over $1,000 while tickets for the weekend conference Defcon are just $220. Included in the tickets for both conferences is free Wi-Fi. But most conference attendees describe themselves as being too terrified to use it due to the inherent risk of sharing a network with a bunch of people skilled at compromising devices connected to a network.

Aruba NetworksAruba Networks provided the Wi-Fi for the Black Hat conference at the Mandalay Bay, it’s fifth year doing so. I swung by Aruba’s operating room to see how many people were actually using the service, and to speak with Aruba security architect Jon Green. Of the 8,000 people in attendance, nearly 1,000 brave souls were using the wireless on a Wednesday afternoon.

“Open WiFi networks are scary, so we use WPA2 encryption,” said Green. There was an option to connect using the password distributed by the conference organizers, or to create a private account on top of that for your own private key. He reassured me that I wouldn’t get the computer equivalent of an STD just from connecting to it. “We block intra-user traffic on the network,” he explained, saying they wanted to prevent people from making unauthorized connections to other people’s devices. I was still a little wary.

Thanks to being the overseer of the network, Aruba gets snapshots of what devices Black Hatters were using to get online and what they were doing once they got there:

Overview of the network activity at Black Hat

Overview at a different point, when lots of iPhone users hopped on the network

A good percentage of attendees had their own VPNs to encrypt their activity. Others didn’t seem to care about surfing non-encrypted http sites where their activity could be detected by a sniffer. You could tell from the mail services people were connecting to where they worked. While I watched, an employee from a large security company started using a ton of bandwidth, apparently to back up something huge to his Google Drive.

Aruba Networks security architect Jon Green

Green says he has two main objectives: making sure the network stays up, and making sure those using it are secure. Aruba monitors users’ activity for anything weird on the network — intrusions or attempted denial of service attacks — to see if they need to shut anyone down or restrict their access. They also keep an eye on other people offering Wi-Fi; many people brought their own Mi-Fis to the event.

Black Hat starts with training sessions for attendees on improving their hacking skills. “All these guys just learned to use new tools, and they want to try them out on our network, so we see weird stuff,” says Green. “But the tools are designed to work on poorly designed networks so we’re fine.”

The most disruptive thing they saw was the disappearance of one of their 130 wireless access points. It went offline at 3:05 a.m. on Tuesday night. Someone stole it. In another incident, while walking around the conference, Green saw someone plug one of the access points into his computer to try to “sniff” the traffic. He watched him for a few minutes before walking over and asking, “You’re not getting much are you?” The traffic was encrypted passing through access points as well. The guy said, “no,” sheepishly.

Many attendees, to be safe, bring burner laptops so that they can wipe them after the conference in case anything weird does happen. Or keep their devices in airplane mode the whole time. Green encouraged me to stick to encrypted — https — sites if I did use the network, and away from using apps with unknown security practices, to avoid having my traffic sniffed. In previous years, Black Hat had a “wall of sheep” that would display people’s usernames and passwords if they sent them over the network on a non-encrypted site. But as it’s become more corporate, it’s gotten rid of that.

“The scariest place to be is on the Wi-Fi at the airport after the conference ends,” says Green.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.